 We introduced access control in the previous lecture and we said it's about mechanisms to control What resources users can access and We said that there are three types discretionary access control Role-based and mandatory access control. We've only touched upon discretionary access control so far We'll look at today. We'll just recap on that introduce the other two quite briefly And then we'll finish with some examples mainly about discretionary access control, which may be helpful for your homework, so We have entities Which are referred to as Subjects so a subject wants to access some resource or some object and An access control mechanism will specify or will control what subjects can access what objects and The examples we will use a mainly the subjects are users humans or maybe some software process on behalf of the users and The object is a file But it doesn't have to be a file. It can be any resource available in a computer system, but it's usually easy to think of files and give examples with the file based access control and with discretionary access control there's some Access rights specified up at the start when the system is deployed So some administrator specifies some initial access rights. What a subject can do with different objects and That can be specified via different means so we can think of it as a matrix Which specifies what subjects can do with what objects? So users can do different things with different objects and the things that they can do We refer to as access rights or sometimes with respect to files modes modes in which we can access the file read Write execute owner examples, but other systems may have different access rights. There's no one One fixed set of access rights But with a matrix especially in a in a file system when we have Thousands maybe millions of files specify and even hundreds or thousands of users Specifying a large matrix for all of them may be Inefficient to maintain because many of the elements may may be empty or there may be some default values So you can take that same information and specify it as either a set of access control lists Which says for each file or each object What different users can do and if a user is not in the access control list then it gets some default access right like Zero access rights. So for file 4 user a cannot do anything because I'm not in the access control list So that's a more efficient way to store that Access right information The other way is per user For each user you specify what they can do on different objects So user a can do things on files one and three User be on one two three four and so on so there's two variants in which we can do that and different different computer systems will make use of them depending upon For example the number of objects and the number of subjects that we need to Control and a fourth approach is just to list all of those Access rights or access modes in a table an authorization table any questions on those four Techniques you moved over there to here to To to get away from there so that no one interrupts you correct stay here and Don't interrupt others Okay, there's a seat up here if you like you'll break it You'll break it Let's we'll come back to some examples of discretionary access control, but let's look at the other two approaches The aspect of discretionary which I didn't mention then Was that once there's some niche initial access rights the users May be able to modify them. They have some discretion to make changes We'll see the others especially mandatory doesn't allow that But first let's look at role-based access control With the discretionary access control. We said each user has some rights on each object With role-based access control we assign users to roles and We say each role has a particular set of rights for an object So access rights are assigned to roles The roles may be job functions. So if it's in an organization the role may be your your position in that organization as Manager director engineer programmer depending upon the organization. So you have some role and Based upon your role in the organization. You may have access rights on different things in the computer system Users may be assigned to multiple roles. So even though you may have one position For example in SIT. We may think of a role as faculty member So users have the role of faculty member but another role may be head of school and Some users are both faculty member and head of school So users may take or maybe assigned multiple roles And maybe static or dynamic you may the system may allow changing of users between roles Sometimes we refer to a session in that a User has some temporary assignment to a role And in fact in the registration system that you all use for SIT You log in to the registration system as a student and you can See your own grades enroll for subjects As a faculty member what I can do is I can log in as an instructor or a lecturer and I can see the grades of the students I'm teaching and Say the head of school may do that Can see the grade the students that he is teaching at the moment But also he can switch temporarily to the head of school role to look at the grades of all students in the school So that's an example of you can for a temporary time switch to another role We can talk about you during some session and We can use an access control matrix to map users to roles and roles to objects and the the next slide gives a simple example So we need two two tables in this case The first one maps the users to roles So you see you on the rows and are on the columns. So in this example, it says In role one we have three users So there are three users who belong to role one user one user two and the last one user M here and in role two, there's one user in this example and user three Can take two roles Roll to a row roll N so of the roles in the organization or more precisely for that computer system We map users to those roles and there can be more than one user per role Then for the access control we define the access rights on objects Same as discretionary access control, but per role not per user So in the same way we saw with the discretionary access control We can say a particular file for example is readable only by the users in role one Another file may be readable and and owned by Users in in R1 and so on so these specify the access rights for objects by users in particular roles This can make the The administration of the access control system potentially easier Because you specify the access roll access rights Not per user, especially when you have many users you just specify per role Where often a role will contain multiple users other than that similar concepts to Discretionary access control, but now we do it per role so if you're developing a Developing a web-based application. So you're developing the website and you have many users who will access that website then you may Choose or even combine between discretionary and and role-based access control It may be per user Define the permissions or you assign users to roles For example, you all access Moodle and your role there is a student similar There's a role of instructor role of lecturer and role of manager or administrator and they have different permissions on the different objects with role-based access control Often there may be some hierarchy and The hierarchy in the computer system is usually reflects the hierarchy in an organization For example in this case in an organization there may be engineers in some engineering department and Those engineers may be of different types. So depending on the maybe it's a car manufacturing Organization there's production engineers quality engineers. There's projects Project leaders and the director for example of the department. So that may be the organizational hierarchy and the roles may be Connected as well in the access control For example, what we can say is that someone a higher role may May inherit the access rights of the roles below it For example, if engineer one can do something Then the production and quality engineer, which are at a higher level can also Herit those permissions or access rights We don't need to specify for them and the director can do everything because the director is at the top So you can define In the access control system Relationship relationships between those roles The project leader can do everything that the production engineer one and product and quality engineer can do for example It doesn't have to be but like that, but many role-based systems will allow that hierarchical approach There are other constraints that may be used in role-based systems So like that example There's we can specify the relationships between roles And there are different ways to do that In that example, we said a higher role includes all access rights of lower role. So that's one way we can specify the relationship We don't have to have that, but that's possible We may specify mutually exclusive roles So of a set of roles a user can be only in one of those You cannot be in two at the same time And again, it depends upon the organization as to whether that's required or not There may be conditions on The maximum number of users in a role So the director for example Only one user can be in the role of director that may be a condition on the system And the access control system the software will enforce that condition Once there's a user who's In the role of director, it will not allow you to add another user into that role So again, you can enforce those requirements For example, the maximum number of users are assigned to a role The maximum number of roles a user can be assigned to For example, a user can have no more than one role Or no more than two roles And also the maximum number of roles that can be granted particular rights So no more than five roles can be given These access rights on these objects So that These constraints allow Allow the administrator to specify more strict Access control And especially related to how the organization operates And there may be some prerequisites specified For example, a user can only be assigned a senior role If they've already been assigned a junior role So role-based access control is mainly used in computer systems where There's a strong relationship with the organization Discretionary access control we will see mainly used in Or is the main form used in, for example, file systems When we look at managing files on a computer Discretionary access control is the main form used Whereas maybe in computer applications Websites for internal organization use Then a role-based access control system may be more appropriate So let's look at the third option Mandatory access control As opposed to discretionary Where the users could make some changes to the permissions In mandatory access control Once the administrator sets up the permissions Nothing can be changed It leads to much stricter control of the resources It's based on the concept of multi-level security Which is used in military organizations So, for example, it doesn't have to be this classification But an example is that we can distinguish Between different levels of security Such as, we can say, something is top secret Which is... At a higher level of security than secret Which is at a higher level than confidential Versus restricted versus unclassified So that's just one example of the different levels of security We may have other names or more or less number of levels But given that we define a set of levels of security Where it's always such that one is greater than the other In terms of security We still have subjects and objects So the subjects are the users The objects are the resources we want to control access to And the subject is given some security clearance So the user is specified to have some clearance At a particular level For example, a user could be given a clearance At a particular level For example, a user could be given a clearance At the level of secret Or at the level of restricted So users or subjects are given a clearance at some level And an object, the resource we want to control Is classified at a particular level So an object may be classified as confidential Or unclassified Which is the lowest level in this example And so we need both of them And the administrator of the system would define The security clearances and the classifications up front If we jump back to one of our first slides Remember, access control Controlls what the users can do with resources For it to work There needs to be some authorization database That specifies these access rights For example, the matrix, the access control list Or specifies in mandatory access control The clearance levels and the classification levels So there's some administrator who does that up front So once the administrator specifies that the subjects Are cleared at some level And the objects are classified at some level Then to maintain confidentiality There's two properties that are required The first is maybe the most obvious one There's the property of no read up Which means that a subject can only read an object Of less or equal security level That is the subject with a particular clearance Can only read objects with that clearance Or lower, with that classification or lower That is, if the subject is cleared at confidential They can read resources which are either confidential Restricted or unclassified A subject which is cleared at confidential Cannot read resources which are classified As secret or top secret So you cannot read up in terms of the levels Does that one make sense? So now we think of our resources are Classified at some level, so we have a file And we say this file is classified as confidential This other file is classified as restricted And this third file is classified as top secret So we classify our resources And similar with users We clear them to a particular level This user is cleared to secret This other user is cleared to classified That happens at the start And we have a requirement That a subject with a particular clearance Can only read objects which are classified At that level or lower levels If I'm cleared to be... If I'm cleared at confidential I can read any confidential document I can read any restricted document Or any unclassified document And I cannot read up security of secret documents Or top secret Once again this is just an example These names of levels There may be more and they may be different names But the example is common in government Or military organizations Any questions so far or no read up The other one which maybe is not so obvious At the start is the property of no write down A subject cannot write So write means modify, delete Cannot write into an object Of greater or equal security level If I am classified as secret Can I read a confidential document Yes or no I am classified as secret Can I read a confidential document Yes the property of no read up Allows me to read the ones lower If I'm classified at the secret level Can I modify a confidential document I cannot modify a confidential document I can read it but I cannot modify it So again if I'm classified as secret I can read a confidential document But the no write down property Says I cannot modify or write That confidential document Why is that, why So I'm allowed to read it But I'm not allowed to write it Or write to that level What's the reason for that No write down property It's again this is mandatory access control The permissions which are set up at the start The users are not allowed to change them And the no write down property Ensures that a user doesn't release information At one level down to the lower level That is if I read a secret document I'm at the secret clearance level And I read a secret document And then I try to write a document At the confidential level That leads to the possibility That I release the secret information Down to people who are classified Just as confidential So I'm not allowed to create You can think I'm not allowed to create Confidential documents in that case Because at least the possibility That I'll release information from a higher level Down to the lower levels So it's quite strict on that requirement Does that one make sense So this is to ensure That we do not release information From one level down to people Who do not normally have the permission To read that information I can read a secret document With a secret clearance But if you're at the confidential clearance You cannot read a secret document But if the system allows me to write A document, create a document At the confidential level Then it potentially allows me To take the secret information That I can read and release it At a lower level, confidential for example And that's a problem So mandatory access control And the no write down property Builds in a mechanism to stop people Releasing information from one level Down to other levels Questions on mandatory access control Very brief on this one It's primarily used where we need a A strong or a high level of security So if we think of computer systems In cases where we want to be Very certain of the security It may be used as opposed to Role based or discretionary access control Note that the clearance And classification is determined by some administrator And the users, the subjects Cannot override that policy So they don't have the discretion to change things There are some models, mathematical models That allow more formal analysis And proof that certain properties are met That's all we'll say about Mandatory access control It's not common by default For example in file systems But it is usually available as an option So if you install your operating system On your computer Usually the file system Will use discretionary access control And we'll see more examples of that But often there are implementations Of mandatory access control That you can choose as an option Different operating systems Have different software available To have this more secure And there are different versions on files So Windows, OSX And Linux operating systems All have their own variants of software That will implement mandatory access control Where you can specify those levels They don't have to be named these Five or six levels But you can specify them And be much stricter on what can change In terms of the access control Leading to a much More secure system Questions Do I open the microphone? Question Yes I did But it's not very loud is it? Is that better? Good Any other questions about the topic? Maybe you didn't hear the last ten minutes And that's why there are no questions So be aware of the differences Between those three approaches Of discretionary We'll see some more examples in a moment Discretionary We can change the permissions Role-based is similar to discretionary But we do it per role Not per user And mandatory access control Where we have these stricter requirements Which is much more useful for Systems that need Higher levels of security We'll go to an example Of discretionary access control Which will help the assignment in a moment And summarize To finish this presentation So what is access control? It's a means for preventing Unauthorized use of resources Objects are referred to here The resources Or the objects can be files And we'll use examples of files a lot But they may be other things Database records So rows in a database for example Parts of a disk Sectors or blocks of a disk Some memory Software processes And any type of resource That our computer system may offer The users And we have subjects Subjects although we talk about Users and human users Usually for a computer system It's a piece of software running On behalf of the user So a software process And we may have different classes Of subjects In some file systems We talk about the owner of a Object We may talk about Groups of users Or all users in the system And some different classes of subjects And the access rights Again there are different access rights But we'll see common ones Like we can read a resource We can write or modify Execute Sometimes write includes delete Sometimes it doesn't So maybe a separate delete access right In databases for example If you set up a database Then you'll see that you can grant Different permissions including To create tables To create different entries In discretionary access control The rights are granted to the subjects It's very common in operating systems In databases In database access control The subjects take a role And the rights are assigned to those roles So common in applications That are closely aligned With the organization And mandatory access control Where the subjects and objects Are assigned to levels And the subjects, the users Cannot modify that assignment So it's fixed It's mandatory as to What's the administrator's sets Maybe different security issues But one main issue is That all of this relies on the administrator Setting up the permissions correctly At the start So in all of these three mechanisms Someone has to initially set What access rights those users Roles or levels have So if they make a mistake Then that may lead to a compromise Of the security of the system And things that we do not talk about Which are related and some are interesting To be trusted computing And secure boot Which is related to tech Or techniques to make sure that From the time when you boot Your computer system When it starts Through to when it loads applications And allows users to do things That it's All those steps Can be trusted That no attacker can compromise One of those steps Is to add Much higher level of security Than what we currently have In our common computer systems